In the Specification 



On Page 2 line 18 after "evaluating the security risk.", please insert the following two 
paragraphs: 

-"A computer program product for evaluating a security risk of an application, said 
computer program product comprising: a computer readable medium; first program 
instructions to receive user input as to whether unauthorized access or loss of said data would 
cause substantial damage, whether said application is vulnerable to attack by a third party, 
whether the application is shared by different customers, and mitigation controls for the 
security risk of said application; and second program instructions to assign a numerical value 
or weight to each of the foregoing determinations, each of said numerical values or weights 
corresponding to a significance of the determination in evaluating said security risk, and 
combine the numerical values or weights to evaluate the security risk; and wherein said first 
and second program instructions are recorded on said medium. 

A computer program product for evaluating a security risk of an application, said 
computer program product comprising: a computer readable medium; first program 
instructions to receive user input as to whether unauthorized access or loss of data maintained 
or accessed by said application would cause substantial damage, whether said application is 
shared by different customers, and whether a vulnerability in said application can be exploited 
by a person or program which has not been authenticated to said application or a system in 
which said application runs; and second program instructions to assign a numerical value or 
weight to each of the foregoing determinations, each of said numerical values corresponding 
to a significance of the determination in evaluating said security risk, and combine the 
numerical values or weight to evaluate the security risk; and wherein said first and second 
program instructions are recorded on said medium."-. 
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Paragraph with markings: 

The invention also resides in another system, method and program product for a 
security risk of an application. A determination is made whether unauthorized access or loss 
of the data would cause substantial damage. A determination is made whether the application 
is vulnerable to attack by a third party. A determination is made whether the application is 
shared by different customers. A determination is made as to mitigation controls for the 
security risk of the application. A numerical value or weight is assigned to each of the 
foregoing determinations. Each of the numerical values or weights corresponds to a 
significance of the determination in evaluating the security risk. 

A computer program product for evaluating a securitv risk of an application, said 
computer program product comprising: a computer readable medium: first program 
instructions to receive user input as to whether unauthorized access or loss of said data would 
cause substantial damage, whether said application is vulnerable to attack bv a third party, 
whether the application is shared bv different customers, and mitigation controls for the 
securitv risk of said application: and second program instructions to assign a numerical value 
or weight to each of the foregoing determinations, each of said numerical values or weights 
corresponding to a significance of the determination in evaluating said securitv risk, and 
combine the numerical values or weights to evaluate the securitv risk: and wherein said first 
and second program instructions are recorded on said medium. 

A computer program product for evaluating a securitv risk of an application, said 

computer program product comprising: a computer readable medium: first program 
instructions to receive user input as to whether unauthorized access or loss of data maintained 
or accessed bv said application would cause substantial damage, whether said application is 
shared bv different customers, and whether a vulnerabilitv in said application can be exploited 
bv a person or program which has not been authenticated to said application or a svstem in 
which said application runs; and second program instructions to assign a numerical value or 
weight to each of the foregoing determinations, each of said numerical values corresponding 
to a significance of the determination in evaluating said securitv risk, and combine the 
numerical values or weight to evaluate the securitv risk: and wherein said first and second 
program instructions are recorded on said medium. 
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